Reading isn't free. The cost is opening your mind to a new perspective.

2014-01-04

Cryptic Military Password Requirements

Just a few notes here for an unnamed (non-secret) military (ending with .mil) website. The sole idea of this post is to briefly articulate how "strong" of a security password is required, that is, until everything moves to requiring a physical, smart card + card reader.

(The following is not word for word, but just the general idea in my own words.)

Here's what is highly recommended (read: required) by the site:
- Up to 55 characters.
- Contain 2+ of each of the following
- UPPERCASE letters
- lowercase letters
- symbols - numbers
- NOT contain:
- Any self-identifying information
- Words that can be found in the dictionary (thus preventing dictionary attacks)
- Common passwords, like "password", "654321", "abc", "qwerty", "asdfghjkl;'"

And, now the special considerations:
- Password lasts less than six months
- Can't reuse passwords
- Passwords must be significantly different from previously used ones

The above is all true.

Now, how does one remember this obfuscated password?

Well, one idea is to write it on a sticky note and put it on the computer. (Please don't do this). Another idea is to not remember the password and deal with possibly a weaker route of just knowing a few pieces of self-identifying information for a call or automatic password recovery system.
Two more bad ideas for remembering complicated passwords to a secure system:- Using a third-party password solution
- Save in a plain text document
- Save in an encrypted document with the decryption key on the same machine